New code to combat cyber attacks on ports and port systems
A new Code of Practice on Cyber Security for Ports and Port Systems has recently been launched. The Code was commissioned by the Department of…
A new Code of Practice on Cyber Security for Ports and Port Systems (“the Code”) has recently been launched. The Code was commissioned by the Department of Transport (“DfT”) and has been prepared by The Institution of Engineering and Technology (“IET”). It provides advice and guidance for senior managers and those with responsibility at UK ports for protecting their facilities from risks arising from a cyber security attack on the port’s electronic or computer based systems.
Potential cyber attacks on port systems are an increasingly serious issue for the marine industry generally and ports and terminals in particular. The number and nature of incidents has increased at an alarming rate since the high profile attack which took place on the systems of the Port of Antwerp in October 2013. In that attack, drug traffickers employed hackers to break into the systems controlling the movement of containers within the port. It is suspected the security breach may have occurred two years earlier in 2011 and remained undetected. The traffickers had concealed drugs in containers arriving at the port from South America and, having secured access to the Port’s systems, were able to remove the containers from the port before collection by the correct receiver. There have been other cyber security incidents, involving infection by malware of port systems and interference with wireless networks.
Cyber security is not just about preventing hackers gaining access to systems and information. It also involves the maintenance and integrity of port systems to ensure safe and reliable availability of information. Failure to do so could threaten a port’s business continuity.
The integrity of port security personnel and the due diligence checks carried out as part of the recruitment process is also important. The unfortunate reality is that attacks are very often “inside jobs” committed by, or with, considerable assistance from the port’s own staff. On site contractors also pose the threat of malicious attacks. A failure to address security risks could lead to serious personal injury or fatality, disruption or damage to port systems and operations, loss of use of buildings, loss of revenue, reputational damage, financial penalties and litigation.
Port facilities are now increasingly complex and dependent on information and communication technologies. This technology can be found in the fixed and mobile assets used to operate the port or remotely located in other systems used to schedule vessel and cargo movements.
The Code provides practical advice on such matters as:
- Developing a Cyber Security Assessment (“CSA”) and a Cyber Security Plan (“CSP”);
- Creating suitable structures, roles, responsibilities and processes for dealing with cyber-security threats;
- The handling of security breaches and attacks; and
- An understanding of important national and international standards in this area and their relationship to existing UK regulations.
The Code suggests that individuals responsible for cyber security at a port should be identified and formally designated as cyber security officers (“CSOs”). A port security committee (“PSC”) could be created if one does not already exist. Where a port has established a port security authority (“PSA”) under the Port Security Regulations 2009, it may be appropriate to discuss cyber security matters at meetings of the PSA. Ports should consider the establishment of a security operations centre (“SOC”) and consider the arrangements for releasing information to third parties and for managing security incidents or breaches. These will be heavy burdens to discharge.
The Code is required reading for all individuals who are involved in the financial and operational management of ports and who deal with contractual arrangements with any third parties. Those involved in the design, construction, operation and maintenance of port systems will need to be intimately familiar with the provisions of the Code. The Code should greatly assist port managers to deal effectively with implementing security procedures to deal with cyber-security incidents and breaches of port systems. It is intended to be used as an integral part of an organisation’s overall risk management system so as to manage the cyber security of port systems in an effective manner.
Should you have any queries please do not hesitate to contact Phil James, Partner & Head of Marine on 0151 243 9849 or email firstname.lastname@example.org.